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(54) Targeted secure printing 

(57) Secure transmission of data to an intended 
image output device, wherein the data can be used to 
generate an image at the intended image output device 
in the presence of an intended recipient. The data is 
encrypted using a first key. The first key is then 
encrypted using a second key and a third key. The sec- 
ond key is a public key of a first private key/public key 
pair, a private key of the first private key/public key pair 
being primarily in the sole possession of the intended 
image output device. The third key is a public key of a 
second private key/public key pair, a private key of the 
second private key/public key pair being primarily in the 
sole possession of the intended recipient of the image. 
The encrypted data and the twee-encrypted first key 
are transmitted to the intended image output device. 
The twice-encrypted first key is then decrypted by using 
the private keys of the second and first key pairs, 
respectively, which are primarily in the sole possession 
of the intended recipient device and the intended image 
output device, respectively. The data is then decrypted 
and printed at an image output device. 




FIG. 5A 



□L 
LU 



Printed by Xerox (UK) &jsiness Services 
2.16.7 (HRS)/3.6 



BNSDOCID: <EP 1091285A2J_> 



1 



EP 1 091 285 A2 



2 



Description 

[0001 ] The present invention concerns secure print- 
ing wherein an image can be generated only by an 
intended image output device in the presence of an 
intended recipient In particular, the invention concerns 
encryption of print data in such a manner that the data 
can only be decrypted using information supplied both 
by the intended image output device and by the 
intended recipient. 

[0002] In a networked office environment, a print 
job generated by a computer at one location in the net- 
work can be printed by an image output device at 
another location. If the print job includes confidential or 
otherwise sensitive information, concerns arise about 
unauthorized interception of the print job at one of sev- 
eral points in the network. In particular, the print job can 
be intercepted by a device on the network such as a 
computer system running simple network snooping 
tools. 

[0003] In addition, concerns also arise about unau- 
thorized viewing of the printed output. The printed doc- 
ument may be viewed by any person who happens to be 
near the image output device before the intended recip- 
ient arrives to collect the document. 
[0004] Similar issues arise with a facsimile trans- 
mission. The transmission can be intercepted, and any 
person who arrives at a destination facsimile machine 
before the intended recipient can view the facsimile doc- 
ument. 

[0005] Accordingly, what is needed is an arrange- 
ment whereby a printed or faxed document can only be 
generated at an intended image output device in the 
presence of an intended recipient. 
[0006] The invention addresses the foregoing need 
by encrypting print data using a symmetric encryption 
algorithm with a randomly generated symmetric key, 
and then encrypting the symmetric key so that it can 
only be recovered by an intended image output device 
in the presence of an intended recipient. The encryption 
of the key is performed by an asymmetric encryption 
(i.e., public/private key-pair) algorithm. The key is 
encrypted twice, using public keys for both the intended 
recipient and for the intended image output device. 
Then, the encrypted print data and the encrypted ran- 
domly generated key are sent to the image output 
device. 

[0007] In order to generate an image for the docu- 
ment, the twice-encrypted symmetric key is decrypted 
using the private keys for both the image output device 
and the intended recipient. Preferably, the private key 
for the intended recipient must be personally supplied 
by the recipient. Upon decryption of the symmetric key, 
the pnnt data (s decrypted using the decrypted syTn met- 
ric key, and an image is output by the image output 
device in accordance with the decrypted print data. 
[0008] As a result of the foregoing an^ngement, the 
symmetric key can only be recovered using the private 



keys for both the intended recipient and for the intended 
image output device. Thus, as long as the private keys 
remain in the sole possession of the intended recipient 
and the intended image output device, respectively, the 

5 symmetric key can only be recovered at the intended 
image output device in the presence of the intended 
recipient. Because the symmetric key is needed to 
decrypt the print data, an image can be printed from the 
print data only at the intended image output device in 

10 the presence of the intended recipient. 

[0009] Accordingly, one aspect of the present 
invention concerns secure transmission of data to an 
intended image output device such as a printer or a fac- 
simile machine. The data can be used to generate an 

15 image only at the intended image output device in the 
presence of an intended recipient. The data is 
encrypted using a first key. The first key is then twice 
encrypted using a second key and then a third key. The 
second key is the public key of a first private key/public 

20 key pair, the private key of the first private key/public key 
pair being primarily in the sole possession of the 
intended image output device. The third key is the public 
key of a second private key/public key pair, the private 
key of the second private key/public key pair being pri- 

25 marily in the sole possession of the intended recipient. 
The encrypted data and the twice-encrypted first key 
both are then transmitted to the intended image output 
device. 

[0010] Preferably, the first key is randomly gener- 

30 ated. In addition, the encryption of the data with the first 
key is preferably performed using a symmetric encryp- 
tion algorithm, and the encryption of the first key with 
the second and third keys are preferably perfonned 
using an asymmetric encryption algorithm. 

35 [001 1 ] Moreover, the order of encryption of the first 
key using the second and third keys can be reversed. 
For instance, encryption of the first key using the sec- 
ond key can occur before a second encryption of the 
first key using the third key. Alternatively, encryption of 

40 the first key using the third key can occur before a sec- 
ond encryption of the first key using the second key. 
[0012] Preferably, the twice -encrypted first key is 
contained within a header along with other information 
relating to the identities of the sender and the recipient. 

45 Also, in the preferred embodiment, the method further 
includes the steps of processing the header and the 
encrypted data by application of a cryptographic hash- 
ing algorithm, resulting in a header hash and a data 
hash, and of digitally signing the header hash and the 

50 data hash with a fourth key. The fourth key is the private 
key of a third private key/public key pair, the private key 
of the third private key/public key pair being primarily in 
the sole possession of the person initiating the trans- 
mission of data. The transmitting step preferably trans- 

55 m'lts the signed header hash and the signed data hash 
along with the encrypted data and the twice-encrypted 
first key. 

[0013] By virtue of the foregoing arrangements, 
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data for generating an image can be transmitted to an 
image output device, whereby the image is only capable 
of being printed by the intended image output device in 
the presence of an intended recipient. 
[0014] In another aspect, the invention concerns 
generation of an image from data transmitted to an 
intended image output device, such as a printer or a fac- 
simile machine, or such a device itself. The data can be 
used to generate the image only at the intended image 
output device in the presence of an intended recipient. 
Encrypted data and a twice-encrypted first key are 
received by the device. The encrypted first key is twice 
decrypted using a second key and a third key, respec- 
tively. The second key is a private key of a first private 
key/public key pair, the private key of the first private 
key/public key pair being primarily in the sole posses- 
sion of the intended recipient The third key is a private 
key of a second private key/public key pair, the private 
key of the second private key/public key pair being pri- 
marily in the sole possession of the intended image out- 
put device. After the encrypted first key is twice 
decrypted, the encrypted data is decrypted using the 
decrypted first key, and an image is generated by the 
intended image output device from the decrypted data. 
[0015] Preferably, the decryption of the first key 
using the second and third keys is performed using an 
asymmetric decryption algorithm. Decryption of the 
encrypted data using the decrypted first key is prefera- 
bly performed using a symmetric decryption algorithm. 
[0016] Depending upon the order of encryption of 
the first key, decryption of the first key using the second 
key can occur before decryption of the first key using the 
third key. Alternatively, decryption of the first key using 
the third key can occur before decryption of the first key 
using the second key. 

[001 7] In the preferred embodiment, the second key 
is contained in a smart-card which is in the possession 
of the intended recipient. Thus, the second key is prima- 
rily accessible only with permission by the intended 
recipient. Likewise, the third key is preferably contained 
in a smart-chip which is maintained internally in the 
intended image output device, thereby being shielded 
from access by devices other than the intended image 
output device. 

[001 8] Preferably, the device also receives a header 
containing information related to the identities of the 
sender and the recipient. Also, in the preferred embodi- 
ment, the receiving step further includes receipt of a 
signed header hash and a signed data hash. The 
authenticity of the signed header hash and of the signed 
data hash preferably are verified using a fourth key 
which is the pubirc key of a third public key/private key 
pair; the private key of the third public key/private key 
pair being primarily maintained in the sole possession 
of the person who initiated the transmission of the data 
for receipt by the device. If the signed header hash or 
the signed data hash fail verification of authenticity, the 
encrypted data is preferably discarded Othenwise. the- 



integrity of the signed header hash and the signed data 
hash are verified by application of a cryptographic hash- 
ing algorithm to the header and the encrypted data. If 
the signed header hash or the signed data hash fail the 
5 verification of integrity, the encrypted data is preferably 
discarded. 

[0019] By virtue of the foregoing arrangements, 
data sent to an image output device is used to generate 
an image only if the data is intended for that image out- 
10 put device, and only if an intended recipient is present to 
supply a needed private key. 

[0020] Another aspect of the invention concerns 
secure transmission of data to an intended image out- 
put device, wherein the data can be used to generate an 

75 image only at the intended image output device in the 
presence of an intended recipient. In this aspect, the 
data is encrypted twice using a first key and a second 
key, the first key being the public key of a first private 
key/public key pair, the private key of the first private 

20 key/public key pair being primarily in the sole posses- 
sion of the intended image output device, and the sec- 
ond key being the public key of a second private 
key/public key pair, the private key of the second private 
key/public key pair being primarily in the sole posses- 

25 si on of the intended recipient of the image. The twice- 
encrypted data is then transmitted to the intended 
image output device. 

[0021] By virtue of the foregoing arrangements, 
data for generating an image can be transmitted to an 

30 image output device, whereby the image is only capable 
of being printed by the intended image output device in 
the presence of an intended recipient. 
[0022] In another aspect, the invention is directed to 
generation of an image from twice-encrypted data 

35 transmitted to an intended image output device, wherein 
the twice-encrypted data can be used to generate the 
image only at the intended image output device in the 
presence of an intended recipient In this aspect, twice- 
encrypted data is received and then twice decrypted by 

40 using a first key and a second key. The first key is the 
private key of a first private key/public key pair, the pri- 
vate key of the first private key/public key pair being pri- 
marily in the sole possession of the intended recipient of 
the image. The second key is a private key of a second 

45 private key/public key pair, the private key of the second 
private key/public key pair being primarily in the sole 
possession of the intended image output device. An 
image is then generated from the decrypted data. 
[0023] By virtue of the foregoing arrangements, 

5o data sent to an image output device is used to generate 
an image only if the data is intended for that image out- 
put device, and only if an intended recipient is present to 
supply a needed private key. 

[0024] In yet another aspect of the invention, a 
55 method is provided for secure transmission of data to an 
intended image output device, wherein the data can be 
used to generate an image at the intended image output 
device in the presence of an intended recipient. The 
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method comprises a first encrypting step of encrypting 
the data using a first key, and a second encrypting step 
of twice encrypting the first key using a second key and 
a third key, the second key being a public key of a first 
private key/public key pair, a private key of the first pri- 5 
vate key/public key pair being primarily in the sole pos- 
session of the intended image output device, and the 
third key being a public key of a second private key/pub- 
lic key pair, a private key of the second private key/pub- 
lic key pair being primarily in the sole possession of the w 
intended recipient of the image. A generating step then 
generates a header containing the twice -encrypted first 
key and in a first transmitting step, the header is trans- 
mitted to the intended image output device. In a receiv- 
ing step a request is received from the intended image 75 
output device for the encrypted data, and then in a sec- 
ond transmitting step the encrypted data is transmitted 
to the intended image output device. 
[0025] By virtue of the foregoing arrangements, a 
header for a print job can be sent to an intended image 20 
output device, but the corresponding encrypted data 
does not have to be sent to the intended image output 
device until required by the intended image output 
device. In addition, the intended image output device is 
used to generate an image only if the data is intended 25 
for that image output device, and only if an intended 
recipient is present to supply a needed private key. 
[0026] In another aspect of the invention, a method 
is provided for generating an image from data transmit- 
ted to an intended image output device, wherein the 30 
data can be used to generate the image at the intended 
image output device in the presence of an intended 
recipient. The method comprises a receiving step of 
receiving a header containing a twice-encrypted first 
key and a sending step of sending a request for 35 
encrypted data corresponding to the header. The 
method also comprises a receiving step of receiving 
encrypted data corresponding to the header, and a first 
decrypting step of twice decrypting the twice-encrypted 
first key using a second key and a third key, the second 40 
key being a private key of a first private key/public key 
pair, the private key of the first private key/public key 
pair being primarily in the sole possession of the 
intended recipient of the image, and the third key being 
a private key of a second private key/public key pair, the 45 
private key of the second private key/public key pair 
being primarily in the sole possession of the intended 
image output device. A second decrypting step is pro- 
vided for decrypting the encrypted data using the 
decrypted first key, and an image generating step gen- so 
erates an image from the decrypted data. 
[0027] By virtue of the foregoing arrangements, a 
header for a print job can be sent to an intended image 
output device, but the corresponding encrypted data 
does not have to be sent to the intended image output 55 
device until required by the intended image output 
device. In addition, the intended image output device is 
used to generate an image only if the data is intended 



for that image output device, and only if an intended 
recipient is present to supply a needed private key, 
[0028] The invention may be implemented in 
method or apparatus, or computer-executable process 
steps, such as a printer driver, an image output device 
for transmitting the data for secure printing, as well as 
special-purpose apparatus such as a printer or a fac- 
simile machine for receiving and printing the data. 
[0029] This brief summary has been provided so 
that the nature of the invention may be understood 
quickly. A more complete understanding of the invention 
can be obtained by reference to the following detailed 
description of the preferred embodiments thereof, which 
are described by way of example only with reference to 
the attached drawings in which: 

Rgure 1 is a representative view of a networked 
computing environment in which an embodiment of 
the present invention may be implemented. 
Figure 2 is a detailed block diagram showing the 
internal architecture of the computer shown in Fig- 
ure 1 according to an embodiment of the present 
invention. 

Rgure 3 is a detailed block diagram showing the 
internal architecture of the printer shown in Figure 1 
according to an embodiment of the present inven- 
tion. 

Figure 4 is a detailed block diagram showing the 
server shown in Figure 1 according to an embodi- 
ment of the present invention. 
Rgure 5A is a view for providing an explanation of 
encryption of data and a symmetric key of a secure 
print job according to a first embodiment of the 
present invention. 

Rgure 58 is a view for providing an explanation of 
encryption of data of a secure print job according to 
a second embodiment of the present invention. 
Rgure 5C is a view for providing an explanation of 
the decryption and printing of a secure print job 
according to an embodiment of the present inven- 
tion. 

Rgure 5D is a view for providing an explanation of 
the decryption and printing of a secure print Job 
according to another embodiment of the present 
invention. 

Rgure 6 is a view for providing an explanation of the 
structure of an encrypted data format according to 
an embodiment of the present invention. 
Rgure 7A is a view for providing an explanation of 
the structure of an encrypted header format accord- 
ing to an embodiment of the present invention. 
Rgure 78 is a view for providing an explanation of 
the structure of an encrypted header format accord- 
ing to another embodiment of the present invention. 
Rgure 8 is a flowchart for providing an explanation 
of encryption and transmission of a secure print job 
according to the present invention. 
Rgure 9 is a flowchart for providing an explanation 
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of decryption and printing of a secure print job 
according to the present invention. 

[0030] The present invention is generally directed to 
the secure printing of image data such that the innage 
data can only be printed on an intended output image 
device in the presence of an intended recipient The 
present invention therefore provides a manner by which 
a document can be securely transmitted from a compu- 
ter to a remote image output device in a networked envi- 
ronment. The document is maintained in a secure 
fashion until the intended recipient is present at the 
intended image output device, whereupon the intended 
image output device prints the image. 
[0031] Figure 1 provides an overall system view of a 
networked computing environment in which an embodi- 
ment of the present invention may be implemented. As 
shown in Figure 1, the networked computing environ- 
ment comprises a network which is connected to desk- 
top computer 1 0. laptop computer 20, server 40, digital 
copier 30 and printer 50. Network 100 is preferably an 
Ethernet network medium consisting of a bus-type 
physical architecture, although the invention can be uti- 
lized over other types of networks, including the Inter- 
net. 

[0032] Desktop computer 10 is preferably an IBM 
PC-compatible computer having a windowing environ- 
ment such as Mcrosoft Windows 95, Windows 98 or 
Windows NT. As is typical with IBM PC-compatible com- 
puters, desktop computer 10 preferably has a display, 
keyboard, mouse, floppy drive and/or other type of stor- 
age medium (not shown). Also attached to desktop 
computer 10 is smart-card interface device 15 for inter- 
facing with a smart-card of a computer user, such as 
smart-card 16. Smart-card 16 therefore provides a 
mechanism whereby a computer user can authenticate 
the user's identity to desktop computer 1 0. In addition, 
smart-card 16 contains a private key of a private/public 
key pair which is specific to a computer user and which 
is used in the present invention for the secure printing of 
image data as discussed more fully below. 
[0033] Laptop computer 20 is also an IBM PC-com- 
patible computer having a windowing environment such 
as Microsoft Windows 95, Windows 98 or Windows NT 
Like desktop computer 1 0, laptop computer 20 also has 
a display, keyboard, mouse and floppy drive or other 
storage means (not shown). In addition, laptop compu- 
ter 20 also has a smart-card interface device 25 
attached to it for interfacing to the smart-card of a com- 
puter user such as smart-card 26. Also attached to net- 
work 100 is digital copier 30, which is capable of 
receiving image data over network 1 00 for printing. Dig- 
ital copier 30 also has attached smart-card interface 
device 35 for interfacing with the smart-card of a print 
job recipient, such as smart-card 36. In addition, server 
40 is also connected to network 100. Server 40 prefera- 
bly comprises an IBM PC-compatible computer having 
an operating system such as DOS, Microsoft Windows 



95, Windows 98 or Windows NT, UNIX or other operat- 
ing system. Server 40 has a storage device 41 which is 
preferably a large fixed disk for storing numerous files. 
Server 40 can therefore be utilized by other devices on 
5 network 1 00 as a file server and may also act as a gate- 
way for other devices on network 100 to another net- 
work such as the Internet. 

[0034] Printer 50 is also connected to network 100 
and is preferably a laser or bubble-jet printer which is 

10 capable of operating as both a printer and a facsimile 
device. Printer 50 has a storage device 51 which is pref- 
erably a large fixed disk, and also has an embedded 
smart-chip 57 which contains a private key of a pri- 
vate/public key pair corresponding to printer 50 for use 

15 in encryption and/or decryption of data received by 
printer 50. In addition, printer 50 is connected to smart- 
card interface device 55 which is capable of interfacing 
with a smart-card of a print job recipient, such as smart- 
card 56. In this manner, the printing of a print job for a 

20 particular intended recipient may be controlled through 
the use of smart-card interface device 55 and smart- 
card 56, in combination with smart-chip 57 in printer 50. 
[0035] Figure 2 is a block diagram showing an over- 
view of the internal architecture of desktop computer 1 0. 

25 In Figure 2, desktop computer 1 0 is seen to include cen- 
tral processing unit (CPU) 210 such as a programmable 
microprocessor which is interfaced to computer bus 
200. Also coupled to computer bus 200 are keyboard 
interface 220 for interfacing to a keyboard, mouse inter- 

30 face 230 for interfacing to a pointing device, floppy disk 
interface 240 for interfacing to a floppy disk, display 
interface 250 for interfacing to a display, network inter- 
face 260 for interfacing to network 100, and smart-card 
interface 265 for interfacing to smart-card interface 

35 devrce 15. 

[0036] Random access memory ("RAM") 270 inter- 
faces to computer bus 200 to provide central processing 
unit ("CPU") 210 with access to memory storage, 
thereby acting as the main run-time memory for CPU 

40 210. In particular, when executing stored program 
instruction sequences, CPU 210 loads those instruction 
sequences from fixed disk 280 (or other memory media) 
into random access memory ("RAM") 270 and executes 
those stored program instruction sequences out of RAM 

45 270. It should also be noted that standard-disk swap- 
ping techniques available under windowing operating 
systems allow segments of memory to be swapped to 
and from RAM 270 and fixed disk 280. Read-only mem- 
ory ("ROM") 290 stores invariant instruction sequences, 

50 such as start-up instruction sequences for CPU 210 or 
basic input/output operation system ("BIOS") 
sequences for the operation of peripheral devices 
attached to computer 10. 

[0037] Fixed disk 280 is one example of a compu- 
55 ter-readable medium that stores program instruction 
sequences executable by central processing unit 
("CPU") 210 so as to constitute operating system 281, 
printer driver 282, smart-card interface driver 283, other 
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drivers 284, word processing program 285, other pro- 
grams 286, e-mail program 287 and other files 288. As 
mentioned above, operating system 281 is preferably a 
windowing operating system, although other types of 
operating systems may be used with the present inven- 
tion. Printer driver 282 is utilized to prepare image data 
for printing on at least one image output device, such as 
printer 50. Smart-card interface driver 283 is utilized to 
drive and control smart -card interface 265 for Interfacing 
with smart-card interface device 15 so as to read and 
write to a smart-card such as smart-card 16. Other driv- 
ers 284 include drivers for each of the remaining inter- 
faces which are coupled to computer bus 200. 
[0038] Word processing program 285 is a typical 
word processor program for creating documents and 
images, such as Microsoft Word, or Corel WordPerfect. 
Other programs 286 contains other programs neces- 
sary to operate desktop computer 1 0 and to run desired 
applications. E-mail program 287 is a typical e-mail pro- 
gram that allows desktop computer 10 to receive and 
send e-mails over network 100. Other files 288 include 
any of the files necessary for the operation of desktop 
computer 1 0 or files created and/or maintained by other 
application programs on desktop computer 1 0. 
[0039] Figure 3 is a block diagram showing an over- 
view of the internal architecture of printer 50. In Figure 
3, printer 50 is seen to contain a printer smart-chip 57 
which, as previously mentioned, contains a private key 
corresponding to printer 50 for encryption/decryption 
purposes. Printer 50 also contains a central processing 
unit ("CPU") 310 such as a programmable microproces- 
sor which is interfaced to printer bus 300. Also coupled 
to printer bus 300 are control logic 320, which is utilized 
to control the printer engine of printer 50 (not shown), 
I/O ports 330 which is used to communicate with vari- 
ous input/output devices of printer 50 (not shown), 
smart-card interface 365 which is utilized to interface 
with smart-card interface device 55, and network inter- 
face 360 which is utilized to interface printer 50 to net- 
work 100. 

[0040] Also coupled to printer bus 300 are EEP- 
ROM 340, for containing non-volatile program instruc- 
tions, random access memory ("RAM") 370, printer 
memory 51 and read-only memory ("ROM") 390. RAM 
370 interfaces to printer bus 300 to provide CPU 310 
with access to memory storage, thereby acting as the 
main run-time memory for CPU 310. In particular, when 
executing stored program instruction sequences, CPU 
310 loads those instruction sequences from printer 
memory 51 (or other memory media) into RAM 370 and 
executes those stored program instruction sequences 
ut of RAM 370. ROM 390 stores Invariant instruction 
sequences, such as start-up instruction sequences for 
CPU 310 or BIOS sequences for the operation of vari- 
ous peripheral devices of printer 50 (not shown). 
[0041] Printer memory 51 is one example of a com- 
puter-readable medium that stores program instruction 
sequences executable by CPU 310 so as to constitute 



printer engine logic 351, control logic driver 352, I/O 
port drivers 353, smart-card interface driver 354, 
encryption/decryption logic 355, queue 356, other files 
357, printer smart-chip driver 358, and e-mail program 

5 359. Printer engine logic 351 and control logic driver 
352 are utilized to control and drive the printer engine of 
printer 50 (not shown) so as to print an image according 
to image data received by printer 50, preferably over 
network 1 00. I/O port drivers 353 are utilized to drive the 

70 input and output devices (not shown) connected 
through I/O ports 330. Smart-card interface driver 354 is 
utilized to drive smart-card interface 365 for Interfacing 
to smart-card interface device 55, thereby enabling 
printer 50 to read and write to a smart-card such as 

75 smart-card 56. 

[0042] Encryption/decryption logic 355 enables 
printer 50 to receive encrypted data according to the 
present invention and to carry out the necessary steps 
to enable the decryption of the encrypted print data in 

2o the presence of an intended recipient. The details of 
these steps are discussed more fully below. Queue 356 
is utilized to contain a print queue comprised of numer- 
ous print jobs which are to be printed. Other files 357 
contain other files and/or programs for the operation of 

25 printer 50. Printer smart-chip driver 358 is utilized to 
drive and interface with printer smart-chip 57 for encryp- 
tion/decryption purposes. Lastly, e-mail program 359 is 
a typical e-mail program for enabling printer 50 to 
receive e-mail messages from network 100. Such e- 

30 mail messages may contain print job-related informa- 
tion, as discussed in more detail below. 
[0043] Figure 4 is a block diagram showing an over- 
view of the internal architecture of server 40. In Figure 
4, server 40 Is seen to include a central processing unit 

35 ("CPU") 410 such as a programmable microprocessor 
which is interfaced to computer bus 400. Also coupled 
to computer bus 400 is a network interface 460 for inter- 
facing to network 100. In addition, random access mem- 
ory ("RAM") 470, fixed disk 41, and read-only ("ROM") 

40 490 are also coupled to computer bus 400. RAM 470 
interfaces to computer bus 400 to provide CPU 410 with 
access to memory storage, thereby acting as the main 
run-time memory for CPU 410. In partk:ular, when exe- 
cuting stored program instruction sequences, CPU 410 

45 loads those instruction sequences from fixed disk 41 (or 
other memory media) into RAM 470 and executes those 
stored program instruction sequences out of RAM 470. 
It should also be recognized that standard disk-swap- 
ping techniques allow segments of memory to be 

50 swapped to and from RAM 470 and fixed disk 41 . ROM 
490 stores invariant instruction sequences, such as 
start-up instruction sequences for CPU 410 or basic 
input/output operating system ("BIOS") sequences for 
the operation of peripheral devices which may be 

55 attached to server 40 (not shown). 

[0044] Fixed disk 41 is one example of a computer- 
readable medium that stores program instruction 
sequences executable by CPU 410 so as to constitute 
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operating system 411, network interface driver 412, 
encryption/decryption logic 413, e-mail program 414, 
queue 415, and other files 416. As mentioned above, 
operating system 411 can be an operating system such 
as DOS, Windows 95, Windows 98, Windows NT, UNIX, 
or other such operating system. Network interface driver 
412 is utilized to drive network interface 460 for interfac- 
ing server 40 to network 100. Encryption/decryption 
logic 413 allows server 40 to receive encrypted data 
and to either maintain such data in queue 41 5 or to send 
such data to an image output device such as printer 50 
for printing. E-mail program 414 is a typical e-mail pro- 
gram and enables server 40 to receive and/or send e- 
mail messages over network 100. Queue 415 is utilized 
to store numerous print jobs for output on one or more 
image output devices, such as printer 50. Lastly, other 
files 416 contains other files or programs necessary to 
operate server 40 and/or to provide additional function- 
ality to server 40. 

[0045] Figure 5 A is a view for explaining the encryp- 
tion process of the present invention which enables a 
computer user of a computer on network 1 00, such as 
desktop computer 1 0, to send data related to a print job 
for printing only on an intended image output device 
when an intended recipient is present. For instance, a 
computer user located at desktop computer 10 may 
wish to prepare a document using word processing pro- 
gram 285 for printing only on printer 50 at a later time, 
when an intended recipient is physically present at 
printer 50, Most importantly, the computer user at desk- 
top computer 10 wishes to protect the print job data 
from being accessed or viewed by any device other than 
printer 50 or by any person other than the intended 
recipient. Therefore, the present invention encrypts the 
image data so that it cannot be accessed by any other 
computer user or device on network 100 and so that it 
will remain encrypted up until the time the intended 
recipient is physically present at the intended printer. In 
this manner, even if the encrypted data is accessed at 
any point prior to the printing on the intended printer 50, 
the data will only appear to be a pile of unintelligible bits. 
[0046] Specifically, as seen in Figure 5A, the 
encryption process starts with image data 501 which is 
preferably created by a computer user at desktop com- 
puter 10 using a program such as word processing pro- 
gram 285. When the computer user is ready to send a 
print job corresponding to data 501 to an intended 
printer, such as printer 50, for receipt by an intended 
recipient, the user preferably presses a button provided 
in word processing program 285 to indicate that the 
document is to be printed in a secure fashion. In the pre- 
ferred mode, printer driver 282 handles the encryption 
process for encrypting data 501 before it is sent over 
network 100 to printer 50. Preferably, printer driver 282 
generates a randomly-generated symmetric key for use 
with a symmetric encryption algorithm. Data 501 is then 
encrypted by applying the symmetric encryption algo- 
rithm using the randomly-generated symmetric key 510, 



thereby creating symmetrically encrypted data 502. In 
this manner, symmetrically encrypted data 502 can only 
be decrypted by a device having a simitar symmetric 
encryption algorithm and a copy of symmetric key 510. 

5 Therefore, symmetric key 510 and symmetrically 
encrypted data 502 must be passed to printer 50 in 
order for the data to eventually be decrypted and printed 
out for the intended recipient. In order to maintain secu- 
rity until such time as data 501 is printed on printer 50, 

10 symmetric key 510 is also encrypted with two public 
keys which correspond to the intended printer and the 
intended recipient. Each public key is from a public 
key/private key pair which is used in an asymmetric 
encryption algorithm. In this manner, only the com bin a- 

75 tion of private keys of the intended recipient and the 
intended printer will allow symmetric key 510 to be 
decrypted such that symmetrically encrypted data 502 
can be decrypted for printing. 

[0047] Therefore, as seen in Figure 5A, printer pub- 

20 lie key 520 corresponding to printer 50 is obtained from 
a public key infrastructure which is provided on a server 
on network 100, from a third-party key service via net- 
work 100, or from another suitable source such as a 
local key storage file. Printer public key 520 is then uti- 

25 lized in conjunction with an asymmetric encryption algo- 
rithm to encrypt symmetric key 510, thereby creating 
printer-key-encrypted symmetric key 511. In this man- 
ner, symmetric key 510 cannot be accessed without the 
corresponding private key of the public/private key pair 

30 corresponding to printer 50. As discussed above, the 
private key for printer 50 is preferably maintained in 
smart-chip 57 which is embedded within printer 50 so 
as to prevent exposure of the private key to any other 
person or device. In this manner, printer key encrypted 

35 symmetric key 511 can only be decrypted by the 
intended image output device, in this case printer 50. 
[0048] Although the above encryption of symmetric 
key 510 ensures that only the intended printer can print 
the print job, it does not ensure that only the intended 

40 recipient will receive the print job for viewing. Therefore, 
it is also preferable to further encrypt symmetric key 51 0 
with a public key corresponding to the intended recipi- 
ent. As shown in Figure 5A, recipient public key 530 is 
also obtained from a public key infrastructure, or other 

45 suitable source. The printer-key-encrypted symmetric 
key 511 is then encrypted again using recipient public 
key 530 in conjunction with an asymmetric encryption 
algorithm to create twice-encrypted symmetric key 512. 
Twice-encrypted symmetric key 512 is shown to be 

50 encrypted at a first layer with printer public key 520 and 
at a second layer with recipient public key 530, thereby 
preventing access to symmetric key 510 unless the spe- 
cific combination of private keys of the intended recipi- 
ent and intended printer is provided. 

55 [0049] As further shown in Figure 5 A, a header 540 
is provided to contain twice-encrypted symmetric key 
512 and also to contain information related to the print 
job such as the sender's identity, the intended recipi- 
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ent's identity, and other infonnation such as the size of 
the print job, and printer-related settings such as selec- 
tion of a collating option, a stapling option, and a paper- 
selection option. In this manner, non-confidential infor- 
mation related to the print job itself can be provided to 
the intended printer for purposes of print job queuing 
and identification of the print job for eventual printing. It 
can be appreciated that header 540 may contain other 
types of information and may also be provided in a for- 
mat which does not contain twice-encrypted symmetric 
key 512. In the prefen-ed embodiment, header informa- 
tion 540 is prepended to twice-encrypted symmetric key 
512 to create header 551 . Once header 551 is created, 
an integrity algorithm is applied to header 551 and sym- 
metrically encrypted data 502 in order to provide an 
integrity check whereby the receiving device may verify 
that header 551 and symmetrically encrypted data 502 
have not been altered in any fashion. Specifically, 
hender 551 and symmetrically encrypted data 502 are 
processed with hash algorithm 570 which is used to 
ensure the integrity of the data. The algorithm results in 
a value known as a "hash" which represents a type of 
checksum for the corresponding data. 
[0050] Therefore, a data hash 553 and a header 
hash 554 are created and are thereupon digitally signed 
using sender private key 560 of a private key/public key 
pair corresponding to the sender who initiated the print 
job in this manner, print job 550 is created which con- 
tains header 551, symmetrically encrypted data 502, 
data hash 553 and header hash 554. Sender private 
key 560 is preferably obtained from a smart-card, such 
as smart-card 16, belonging to the sender at desktop 
computer 10 via smart-card interface device 15. In the 
case where the sender and the intended recipient are 
the same person, sender private key 560 is from the 
same private key/public key pair as the recipient public 
key 530. In such a situation, the sender can send a 
secure print job to an intended printer from a remote 
location and can then later retrieve the print job with the 
sender's smart-card at the printer. 
[0051] In this manner, print job 550 can be transmit- 
ted to the intended image output device, in this case 
printer 50, for being queued and eventually printed in 
the presence of the intended recipient. Intended printer 
50 can then perform authentication of the sender of 
print job 550, verification of the integrity of header 551 
and encrypted data 502 of print job 550, decryption of 
twice-encrypted symmetric key 512, and, finally, 
decryption of encrypted data 502 for printing on printer 
50. 

[0052] The encryption arrangement provided in Fig- 
ure 5A is a preferred embodiment of the present inven- 
tion; however, it can be appreciated that the data 
corresponding to a secure print job can be encrypted 
using other combinations of public keys, and can also 
be encrypted directly using the aforementioned public 
keys with an asymmetric encryption algorithm. For 
instance, the order of encryption of symmetric key 510 



can be reversed such that symmetric key 510 is first 
encrypted using recipient public key 530 and is then 
encrypted using printer public key 520. Therefore, 
twice-encrypted symmetric key 512 would first be 
5 decrypted using the private key of the intended printer 
and would then be decrypted using the private key of 
the intended recipient. 

[0053] In Figure 5B, the data associated with the 
secure print job is twice- encrypted using the public keys 

10 of the intended printer and intended recipient in con- 
junction with an asymmetric encryption algorithm, 
instead of with a symmetric key as shown in Figure 5A. 
In Figure 5B, data 581 is the print data associated with 
the secure print job. As in Figure 5A, public keys of the 

15 intended printer (520) and intended recipient (530) are 
first obtained from a public key infrastructure or other 
suitable source. Thereafter, data 581 is encrypted using 
an asymmetric encryption algorithm in conjunction with 
recipient public key 530 so as to create recipient-key- 

2o encrypted data 582. Then, recipient- key-encrypted data 
582 is again encrypted using an asymmetric encryption 
algorithm in conjunction with printer public key 520 to 
create twice-encrypted data 583. Therefore, as shown 
in Figure 5B, the data itself is twice-encrypted for trans- 

25 mission to the intended printer after which it can only be 
decrypted with the private keys of the intended printer 
and the intended recipient, respectively. 
[0054] Thus, the encryption arrangement depicted 
in Figure 58 may be utilized to provide secure printing of 

30 a document ordinarily without the use of a symmetric 
key as depicted in Figure 5A. The arrangement in Fig- 
ure 5B may also be combined with the other features of 
Figure 5A, such as the creation of a header and a 
signed hash prior to transmittal of the twice-encrypted 

35 data to the intended printer. It should be noted that the 
encryption arrangement of Figure 5A is the preferred 
embodiment because double-encryption of a potentially 
large amount of data corresponding to data 581 as 
depicted in Figure 5B may require substantially greater 

40 computing resources than the encryption arrangement 
of Figure 5 A wherein only symmetric key 51 0 is double- 
encrypted. 

[0055] Figure 5C is a view for explaining the decryp- 
tion and printing of data 501 which was encrypted 

45 according to Rgure 5A. First, print job 550 is received at 
the intended printer, in this case printer 50, via network 
1 00, and contains the same components as depicted in 
Figure 5 A. Next, sender public key 561 is preferably 
obtained from a public key infrastructure, or other suita- 

50 ble source, and con-esponds to the computer user at 
desktop computer 10 who sent the print job to printer 
50. In the alternative, sender public key 561 can be pro- 
vided in a copy of the sender's digital certificate con- 
tained within header information 540. Sender public key 

55 561 is then used in conjunction with hashing algorithm 
570 to authenticate and verify the integrity of header 
551 and symmetrically encrypted data 502. Specifically, 
signed header hash 554 and signed data hash 553 are 
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authenticated using sender public key 561 to verify that 
the sender was indeed the creator of print job 550. If the 
authentication fails, the print job is preferably discarded. 
[0056] Next, print job 550 is stored in queue 356 of 
printer 50 or, in the alternative, is stored in queue 415 of 
server 40 for subsequent access by printer 50. Once the 
intended recipient is physically present at printer 50, 
recipient private key 531 is obtained through the recipi- 
ent's smart-card, such as snnart-card 56, which is 
inserted into snnart-card interface device 55. For secu- 
rity reasons, recipient private key 531 is nnaintained 
solely on smart-card 56 and cannot be read by printer 
50. Therefore, twice-encrypted symmetric key 512 is 
passed from printer 50 to smart-card 56 via smart-card 
interface device 55 where it is partialty decrypted using 
recipient private key 531. Thereaifter, partially- 
decrypted symmetric key 511 is returned from smart- 
card 56 to printer 50, wherein it is completely decrypted 
within smart-chip 57 of printer 50. This results in a "clear 
text" form of symmetric key 510. 

[0057] Symmetric key 51 0 is then utilized to decrypt 
symmetrically -encrypted data 502 in order to obtain a 
clear text form of data 501 . An image is then printed on 
printer 50 based upon decrypted data 501. In this man- 
ner it can be seen that the present invention provides 
the ability to transmit a document or image to an 
intended printer for printing only in the presence of an 
intended recipient. Until the intended recipient's pres- 
ence is verified at the location of the intended printer, 
the print job is maintained in an encrypted form and 
cannot reasonably be decrypted by any other person or 
device that may have intercepted the encrypted data. 
[0058] Figure 5D is a view for explaining the decryp- 
tion and printing of twice-encrypted print data 583 which 
was encrypted pursuant to the alternative of Figure 5B. 
First, twice-encrypted data 583 is passed to smart-card 
56 of the intended recipient via smart-card interface 55, 
whereupon twice-encrypted data 583 is partially 
decrypted by using recipient private key 531 which is 
located in smart-card 56. Smart-card 56 thereupon 
returns the now partialiy-decrypted data 582 back to the 
control of printer 50. Next, partially-decrypted data 582 
is passed to smart-chip 57 of printer 50 where partially- 
encrypted data 582 is completely decrypted using 
printer private key 521 contained in smart-chip 57 in 
printer 50. The decrypted, "clear" data 581 is now 
returned from smart-chip 57 to printer 50 for printing. 
[0059] Although the encryption/decryption 
described in Rgures 5B and 5D provide secure printing 
to an intended printer for an intended recipient, it can be 
seen that substantially greater resources may be 
required by smart-chip 57 and smart-card 56 to process 
twice-encrypted data in comparison to the resources 
required to process a twice-encrypted symmetric key as 
depicted in Figures 5A and 5C. Other collateral features 
depicted in Figure 5B, such as authentication and integ- 
rity verification, may also be incorporated in the decryp- 
tion process of Rgure 5D- 



[0060] The hashing process depicted in Figure 5 A 
provides signed data hash 553 which is a type of check- 
sum that allows the receiving device, such as printer 50, 
to verify the integrity of the symmetrically encrypted 

5 data 502. Figure 6 shows a view for explaining one 
method of generating and fomnaning a signed hash for 
the data. In Figure 6, print data 601, which corresponds 
to the image to be securely printed, is in an unen- 
crypted, "plaintext" format. A hashing algorithm, which 

70 IS preferably a one-way hash function, is then applied to 
print data 601 to create data hash 610 which is essen- 
tially a message digest Data hash 610 is then digitally 
signed using the private key of the sender, such as 
sender private key 560 of Figure 5A. Signed hash 61 1 

15 may then be optionally encrypted. In either case, signed 
hash 61 1 is copied to signed hash 612 which is part of 
data block 600 for transmission to the intended printer 
where it is used for authentication and integrity verifica- 
tion purposes. 

20 [0061] Figure 7A is a view for explaining the struc- 
ture of the header according to a preferred embodiment 
of the invention. Specifically, recipient ID 701, sender ID 
702 and symmetric key 703 are initially provided in a 
clear, plaintext format for inclusion in header 700 as 

25 depicted in Figure 7A. A hashing algorithm is then col- 
lectively performed on recipient ID 701, sender ID 702 
and symmetric key 703 to create hash 720. Hash 720 is 
then signed with the private key of the sender, such as 
sender private key 560 as depicted in Figure 5A, to cre- 

30 ate signed hash 721. Signed hash 721 may then be 
optionally encrypted. In either case, signed hash 721 is 
then copied to signed hash 722 for inclusion in header 
700. 

[0062] Recipient ID 701 is left in a clear, plaintext 

35 format, copied to recipient ID 711 and included in 
header 700. In the alternative, recipient ID 701 may be 
encrypted with the public key of the intended printer for 
anonymity of the intended recipient's identification, cop- 
ied to recipient ID 71 1 and included in header 700. In 

40 either case, the intended printer can extract and read 
recipient ID 71 1 upon receipt of the header, thereby 
allowing the intended printer to queue the print job cor- 
responding to the intended recipient. Sender ID 702 
may be encrypted with the public key of the intended 

45 printer before inclusion in header 700, but such encryp- 
tion is not necessary. Either way, sender ID 702 is cop- 
ied to sender ID 712 and included in header 700. 
Symmetric key 703 is preferably twice-encrypted as 
shown in Figure 5A and then provided in twice- 

50 encrypted, symmetric key 713 and included in header 
700. 

[0063] An alternative structure for the header is 
shown in Figure 73 whereby the header is structured so 
that it can be transmitted to the intended printer sepa- 
55 rately from the encrypted data. Specifically, recipient ID 
751. sender ID 752, symmetric key 753 and a uniform 
resource locator (URL) 754 are initially provided in a 
clear, plaintext format for inclusion in header 750 as 



9 



BNSDCCia <EP 1091285A2J_> 



17 



EP 1 091 285 A2 



18 



depicted in Figure 7A. URL 754 is preferably an address 
location where the encrypted data is stored for later 
retrieval and transmission to the intended printer. For 
instance, twice-encrypted data 512, as depicted in Fig- 
ure 5A, would be maintained on fixed disk 280 of desk- 5 
top computer 10, or on fixed disk 41 of server 40, at a 
memory location corresponding to URL 754. URL 754 is 
then included in header 750 which is sent to the 
intended printer without the encrypted data that corre- 
sponds to header 750. Desktop computer 1 0, or server 10 
40, as the case may be, subsequently sends the corre- 
sponding encrypted data to the intended printer upon 
receipt of a request from the intended printer which con- 
tains a reference to URL 754. In this manner, the 
intended printer does not use memory space for storing 75 
the encrypted data until it is needed, upon which the 
intended printer pulls the encrypted data from its stor- 
age location by reference to corresponding URL 754. 
[0064] A hashing algorithm is collectively performed 
on recipient ID 751, sender ID 752, symmetric key 753 20 
and URL 754 to create hash 770. Hash 770 is then 
signed with the private key of the sender, such as 
sender private key 560 as depicted in Figure 5A, to cre- 
ate signed hash 771. Signed hash 771 may also be 
optionally encrypted for further security. In either case, 25 
signed hash 771 is copied to signed hash 772 for inclu- 
sion in header 750. 

[0065] Recipient ID 751 is left in a clear, plaintext 
format, copied to recipient ID 761 and included in 
header 750. In the alternative, recipient ID 751 may be 30 
encrypted with the public key of the intended printer for 
anonymity of the intended recipients identification, cop- 
ied to recipient ID 761 and included in header 750. In 
either case, the intended printer can extract and read 
recipient ID 761 upon receipt of the header, thereby 35 
allowing the intended printer to queue the print job cor- 
responding to the intended recipient. Sender ID 752 
may be encrypted with the public key of the intended 
printer before inclusion in header 750, but such encryp- 
tion is not necessary. Either way, sender ID 752 is cop- 40 
ted to sender ID 762 and included in header 750. 
Symmetric key 753 is preferably twice-encrypted pursu- 
ant to the method shown in Figure 5A and is then pro- 
vided as twice-encrypted, symmetric key 763 and 
included in header 750. In this alternative header for- 45 
mat, URL 754 is also encrypted, either with the public 
key of the intended printer or w'rth symmetric key 753, 
and then stored in URL 764 in header 750. 
[0066] By this arrangement, header 750 can then 
be transmitted separately to the intended printer prior to so 
the transmission of the encrypted data corresponding to 
header 750. In this embodiment of the invention, header 
750 is preferably transmitted via an E-mail message to 
the intended printer, such as printer 50, through E-mail 
program 287 of desktop computer 10 for receipt by E- 55 
mail program 359 of printer 50. Other means of sending 
header 750 over network 100 to printer 50 can also be 
used, such as through the use of one or more network 



protocols. When the encrypted data is needed by 
printer 50, such as when the intended recipient is 
present at printer 50, printer 50 can decrypt URL 754 
and send a data request containing a reference to URL 
754. The encrypted data corresponding to URL 754 is 
then sent to the intended printer for decryption and 
printing. Symmetric key 763 is then preferably 
decrypted in the manner described in Figure 5C, after 
which the encrypted data is decrypted and printed in the 
presence of the intended recipient. In this manner, the 
memory capacity of the intended printer or of a file 
server utilized by the intended printer is not burdened 
with large fifes of encrypted print data until it is neces- 
sary to retrieve such print data for decryption and print- 
ing. 

[0067] Figure 8 is a flowchart for explaining the 
overall encryption and transmission of a secure print job 
according to a preferred embodiment of the present 
invention. The process steps shown in this figure, as 
well as those of Figure 9, are computer- executable 
process steps stored on a computer-readable memory 
medium such as disk 280, disk 41, or printer memory 
51 . First, in step S801 , a sender working on a computer 
in a networked computing environment submits a print 
job for sending a document or image for secure printing 
at an intended image output device, such as a printer or 
facsimile device, in the presence of an intended recipi- 
ent. Preferably, the print job is submitted by pressing a 
button in a word processing application, such as Micro- 
soft Word, whereupon a printer driver interface appears 
for collecting necessary information, such as the 
intended recipient, and the like. In the alternative, a sep- 
arate client application may be provided to collect such 
information. Preferably, the printer driver also perfomns 
the remaining steps of Figure 8 for encryption and trans- 
mittal of a secure print job. 

[0068] Next, the image data associated with the 
print job is encrypted with a randomly-generated sym- 
metric key in conjunction with a symmetric encryption 
algorithm as discussed above with regard to Figure 5 A 
(step S802). In step S803, the public key for the 
intended recipient and for the intended printer, respec- 
tively, are obtained from a public key infrastructure, or 
other suitable source, and the sender's private key is 
obtained, preferably from a smart-card 1 6 belonging to 
the sender via smart-card interface device 15. In step 
S804, the symmetric key is twice encrypted, by first 
encrypting the symmetric key w'rth the public key of the 
intended printer in conjunction with an asymmetric 
encryption algorithm, and then encrypting the symmet- 
ric key again with the public key of the intended recipient 
in conjunction with an asymmetric encryption algorithm. 
[0069] After the symmetric key is twice-encrypted, a 
header is formed which includes the twice-encrypted 
symmetric key and which also includes infonnation 
related to the print job such as the identity of the 
intended recipienfand of the sender in an unencrypted 
fomnat (step S805). As discussed above, the header 
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may also include a URL which points to the location of 
the encrypted data which corresponds to the header in 
the case where the header is to be sent separately from 
the encrypted data. In step S806, a hashing algorithm is 
then applied to the header to form a header hash and to 
the encrypted data to form a data hash. The header 
hash and data hash are then digitally signed with the 
private key of the sender in step S807. The header hash 
and data hash may also be optionally encrypted for 
additional security. Preferably, the private key of the 
sender is obtained from a smart-card which is kept in 
the possession of the sender. In the alternative, a token, 
flashrom or other means of storage can be used to 
securely store the private key of the sender. 
[0070] Next, it is determined in step S808 whether 
the header is to be sent to the intended printer separate 
from the corresponding encrypted data. If the header is 
to be sent separately, control passes to step S809 in 
which the print job, comprising the header and the 
header hash, is sent over the network to the intended 
printer without the corresponding encrypted data. Pref- 
erably, the intended printer has an E-mail program and 
the print job containing the header and header hash is 
sent to the printer by means of E-mail, although the print 
job may be separately sent to the intended printer by 
other means, such as via one or more other network 
protocols. In the preferred mode, the header contains a 
URL which con-esponds to the location in memory of the 
encrypted data and data hash. This location can reside 
on a disk of a computer or server which is accessible by 
the intended printer via the network. The corresponding 
encrypted data and data hash are then subsequently 
sent to the intended printer by the server or computer on 
which the encrypted data and data hash are stored in 
step S810, either automatically or at the request of the 
intended printer by reference to the URL which was pro- 
vided to the intended printer in the earlier received 
header. Control then passes to the end (step S812). 
[0071] If, however, it is determined in step S808 that 
the header is not to be sent separately from the corre- 
sponding encrypted data to the intended printer, control 
is passed to step S81 1 in which a print job comprising 
the header, header hash, encrypted data, and data 
hash are transmitted over the network to the intended 
printer. Control then passes to the end in step S812. In 
this embodiment, the intended printer receives the 
encrypted data along with the header which contains 
the twice-encrypted symmetric key for decryption of the 
encrypted data. In addition, the header hash and data 
hash are received by the intended printer for verification 
of the authenticity and integrity of the header and 
encrypted data. 

[0072] Figure 9 is a flowchart for explaining the 
decryption and printing of a secure print job according 
to a prefen-ed embodiment of the present invention. 
First, the intended printer receives a secure print job in 
step S901 . As discussed above with respect to Rgure 8, 
the print job may only comprise the header and header 



hash as in the case where the header and header hash 
are received by the intended printer separately by E- 
mail. Otherwise, the print job comprises the encrypted 
data and data hash along with the header and header 
5 hash and is received by the intended printer by normal 
means over the network. 

[0073] Next, the public key of the sender is obtained 
from a public key infrastructure, from another suitable 
source, or from a copy of the sender's digital certificate 

10 provided in the header for use in the subsequent 
authentication and verification of integrity of the secure 
print job (step S902). In step S903 the sender's public 
key is used to check the authenticity of the digital signa- 
ture of the header hash of the secure print job. If the 

75 header hash is not authentic, control passes to step 
S904 in which a notice is preferably sent to the sender 
to warn the sender that a non-authenticated print job 
has been detected. Next, in step S905 the print job is 
discarded. Flow then passes to the end in step S919. If, 

20 however, the header hash is determined to be authentic 
in step S903, flow passes to step S906 in which the 
integrity of the header is verified against the header 
hash. 

[0074] In step S906 a hashing algorithm is used to 
25 compare the header to the signed data hash to verify 
that the header was received intact and was not tam- 
pered with, therefore indicating that the header is of reli- 
able integrity. If the integrity of the header is in question, 
control passes to step S905 in which the print job is dis- 
30 carded. Control then passes to the end in step S91 9. If, 
however, the header is of reliable integrity, control 
passes to step S907 in which header information, such 
as the identity of the intended recipient, is extracted 
from the header whereupon the print job is placed in a 
35 print queue for subsequent printing. Preferably, the print 
job is sent from the printer to a local server on the net- 
work where it is stored in a print queue according to the 
identification of the intended recipient until subse- 
quently retrieval by the intended printer. In the alterna- 
te tive, the print queue may be maintained in a large 
memory device within the intended printer itself. 
[0075] In step S908, the intended recipient arrives 
at the location of the intended printer and inserts a 
smart-card belonging to the intended recipient into a 
45 smart-card interface device which is connected to the 
intended printer Preferably, the smart-card contains a 
unique private key and also contains authenticating 
identification information corresponding to the intended 
recipient- The printer, via the smart-card interface 
50 device, obtains the authenticating identification informa- 
tion of the intended recipient from the smart-card and 
determined whether the identification of the intended 
recipient is authentic (step S909). If the identification 
infonmation is not authentic, control passes to the end in 
55 step S91 9. If the identification information is authentic, 
the print queue, which is located in either the printer 
itself or in a local server, is queried, preferably by refer- 
ence to the identification of the intended recipient, to 
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determine if there are any print jobs corresponding to 
the intended recipient (step S910). If there are not any 
print jobs in the print queue corresponding to the 
intended recipient, control passes to the end in step 
S919. If, on the other hand, there is a print job in the 5 
print queue corresponding to the intended recipient, the 
next sequential print job in the print queue is obtained 
and control passes to step S91 1 . 
[0076] In step S911, the print job is examined to 
determine if the print job contains only the header and 10 
header hash, as in the case where the header and 
header hash are Sent separately by e-mail to the printer 
without the encrypted data and data hash. If this is the 
case, the intended printer sends a request to the loca- 
tion where the encrypted data is stored, such as a 15 
server or computer on the network, to retrieve the 
encrypted data whereupon the encrypted data and cor- 
responding data hash are transmitted from the server or 
computer, as the case may be, to the intended printer 
(step S912). In the preferred mode, the request by the 20 
intended printer to retrieve the encrypted data contains 
a reference to a URL contained in the header which was 
received eariier by the intended printer, wherein the 
URL points to the location of the encrypted data and 
con-esponding data hash. In this manner, the intended 25 
printer is not required to store large files of encrypted 
data until they are needed for printing, at which time the 
encrypted data is pulled from its location on a server or 
computer to the intended printer. The retrieval request 
by the printer and subsequent transmission of the 30 
encrypted data and data hash preferably are imple- 
mented by normal network communication means, such 
as TCP/IP protocol and HTTP protocol where the 
retrieval request contains a reference to a URL, 
although other protocols such as FTP may also be 35 
used. Control then passes to step S913. If it is deter- 
mined in step S911 that the header was not sent sepa- 
rately to the intended printer, then the print job already 
comprises the encrypted data along with the header, 
and therefore control passes directly to step S91 3. 40 
[0077] Next, in step S91 3, the twice-encrypted sym- 
metrical key is extracted from the header of the print job 
and is partially decrypted by using the private key of the 
intended recipient in conjunction with an asymmetric 
decryption algorithm. In the preferred embodiment, the 45 
smart-card of the intended recipient contains the 
intended recipient's private key and also contains a 
microprocessor such that the twice-encrypted symmet- 
rical key is passed to the smart-card by the printer 
through a smart-card interface device. In this manner, 50 
the partial decryption actually takes place on the smart- 
card itself, thereby preventing external access to the pri- 
vate key of the intended recipient which is contained on 
the smart-card. 

[0078] The partially decrypted symmetric key is 55 
then returned from the smart-card to the printer where- 
upon the partially decrypted symmetric key is com- 
pletely decrypted by using the private key of the 



intended printer in conjunction with an asymmetric 
decryption algorithm (step S914). Preferably, the private 
key of the intended printer is contained in a smart-chip 
which is embedded within the printer. The partially 
decrypted symmetric key is passed to the smart-chip 
where it is completely decrypted using the private key 
contained in the smart-chip, thereby preventing external 
access to the printer's private key which is contained on 
the smart-chip. Other means for storing the private key 
of the intended printer could also be used, such as a 
token, flashrom, or the like. 

[0079] The completely decrypted, "clear" symmet- 
ric key is then returned from the smart-chip to the 
intended printer, whereupon the decrypted, "clear" sym- 
metric key is used to decrypt the encrypted data pursu- 
ant to a symmetric decryption algorithm (step S915). 
Next, the integrity of the decrypted data is verified in 
step S916 by comparing the data with the data hash 
through the use of a hashing algorithm as discussed 
above. If the integrity of the decrypted data cannot be 
verified, then the data may have been intercepted 
and/or tampered with such that it cannot be relied upon, 
and therefore control is passed to step S917 in which 
the entire print job is discarded. Control is then passed 
to the end in step S919. If, however, the integrity of the 
decrypted data is verified in step S916, control passes 
to step S918 in which an image is printed by the 
intended printer in accordance with the decrypted data 
(step S912). Control then passes to the end in step 
S919. 

[0080] In this manner, secure printing is provided 
such that an image can be generated only by an 
intended image output device in the presence of an 
intended recipient. In particular, the print data is 
encrypted in such a manner that the data can only be 
decrypted using a combination of secret keys which are 
supplied by the intended image output device and by 
the intended recipient, respectively. 
[0081] It will be appreciated that the invention 
extends to a signal conveying machine readable 
instructions for causing a processor to operate as a 
computer or printer control unit as described above, as 
well as a computer-readable medium storing such 
instructions. Such a signal may be downloaded from, for 
example, the Internet or a network. 
[0082] The invention has been described with par- 
ticular illustrative embodiments. It is to be understood 
that the invention is not limited to the above-described 
embodiments and that various changes and modifica- 
tions may be made by those of ordinary skill in the art 
without departing from the spirit and scope of the Inven- 
tion. 

Claims 

1. A method for secure transmission of data to an 
intended image output device, wherein the data can 
be used to generate an image at the intended 
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image output device in the presence of an intended 
recipient, the method comprising: 

an encrypting step of twice encrypting the data 
using a first key and a second key, the first key 5 
being a public key of a first private key/public 
key pair, a private key of the first private 
key/public key pair being primarily in the sole 
possession of the intended image output 
device, and the second key being a public key io 
of a second private key/public key pair, a pri- 
vate key of the second private key/public key 
pair being primarily in the sole possession of 
the intended recipient of the image; and 
a transmitting step of transmitting the twice- is 
encrypted data to the intended image output 
device. 

2. A method for secure transmission of data to an 
intended image output device, wherein the data can 20 
be used to generate an image at the intended 
image output device in the presence of an intended 
recipient, the method comprising: 

a first encrypting step of encrypting the data 25 
using a first key; 

a second encrypting step of twice encrypting 
the first key using a second key and a third key, 
the second key being a public key of a first pri- 
vate key/public key pair, a private key of the first 30 
private key/public key pair being primarily in the 
sole possession of the intended image output 
device, and the third key being a public key of a 
second private key/public key pair, a private 
key of the second private key/public key pair 35 
being primarily in the sole possession of the 
intended recipient of the image; and 
a transmitting step of transmitting the 
encrypted data and the twice-encrypted first 
key to the intended image output device. 40 

3. A method according to Claim 2, wherein the first 
key is randomly generated. 

4. A method according to Claim 2, wherein the first 45 
encrypting step utilizes a symmetric encryption 
algorithm. 

5. A method according to Claim 2, wherein the second 
encrypting step utilizes an asymmetric encryption so 
algorithm. 

6. A method according to Claim 2. wherein the second 
encrypting step encrypts the first key using the sec- 
ond key before encrypting the first key using the 55 
third key. 

7. A method according to Claim 2, wherein the second 



encrypting step encrypts the first key using the third 
key before encrypting the first key using the second 
key. 

8. A method according to Claim 2, wherein, in the 
transmitting step, the twice-encrypted first key is 
contained in a header which also contains informa- 
tion related to the identity of a device initiating the 
secure transmission. 

9. A method according to Claim 2, wherein, in the 
transmitting step, the twice-encrypted first key is 
contained in a header which also contains informa- 
tion related to the identity of a person initiating the 
secure transmission. 

10. A method according to Claim 9, further comprising: 

a hashing step of processing the header and 
the encrypted data with a hashing algorithm, 
resulting in a header hash and a data hash; 
and 

a signing step of digitally signing the header 
hash and the data hash with a private key of a 
third private key/public key pair, the private key 
of the third private key/public key pair being pri- 
marily maintained in the sole possession of the 
person initiating the secure transmission, 
wherein the transmitting step further transmits 
the signed header hash and the signed data 
hash. 

11. A method according to Claim 2, wherein the 
intended image output device is a printer. 

12. A method according to Claim 2, wherein the 
intended image output device is a facsimile 
machine, 

13. A method for secure transmission of data to an 
intended image output device, wherein the data can 
be used to generate an image at the intended 
image output device in the presence of an intended 
recipient, the method comprising: 

a first encrypting step of encrypting the data 
using a first key; 

a second encrypting step of twice encrypting 
the first key using a second key and a third key, 
the second key being a public key of a first pri- 
vate key/public key pair, a private key of the first 
private key/public key pair being primarily in the 
sole possession of the intended image output 
device, and the third key being a public key of a 
second private key/public key pair, a private 
key of the second private key/public key pair 
being primarily in the sole possession of the 
intended recipient of the image; 
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a generating step of generating a header con- 
taining the twice-encrypted first key; 
a first transmitting step of transmitting the 
header to the intended image output device; 
a receiving step of receiving a request from the 5 
intended image output device for the encrypted 
data; and 

a second transmitting step of transmitting the 
encrypted data to the intended image output 
device. io 



14. A method according to Claim 13, wherein the first 
transmitting step transmits the header to the 
intended image output device by e-mail. 

15 

15. A method according to Claim 13, wherein the 
header which is generated in the generating step 
also contains a reference to a location of the 
encrypted data, and wherein the request for 
encrypted data contains the reference to the loca- 20 
tion of the encrypted data. 

16. A method for generating an image from twice- 
encrypted data transmitted to an intended image 
output device, wherein the twice-encrypted data 25 
can be used to generate the image at the intended 
image output device in the presence of an intended 
recipient, the method comprising: 

a receiving step of receiving twice-encrypted 30 
data; 

a decrypting step of twice decrypting the twice- 
encrypted data using a first key and a second 
key, the first key being a private key of a first pri- 
vate key/public key pair, the private key of the 35 
first private key/public key pair being primarily 
in the sole possession of the intended recipient 
of the image, and the second key being a pri- 
vate key of a second private key/public key pair, 
the private key of the second private key/public 40 
key pair being primarily in the sole possession 
of the intended image output device; and 
an image generating step of generating an 
image from the decrypted data. 

45 

17. A method for generating an image from data trans- 
mitted to an intended image output device, wherein 
the data can be used to generate the image at the 
intended image output device in the presence of an 
intended recipient, the method comprising: so 



being primarily in the sole possession of the 
intended recipient of the image, and the third 
key being a private key of a second private 
key/public key pair, the private key of the sec- 
ond private key/public key pair being primarily 
in the sole possession of the intended image 
output device; 

a second decrypting step of decrypting the 
encrypted data using the decrypted first key; 
and 

an image generating step of generating an 
image from the decrypted data. 

18. A method according to Claim 17, wherein the first 
decrypting step utilizes an asymmetric decryption 
algorithm. 

19. A method according to Claim 17, wherein the sec- 
ond decrypting step utilizes a symmetric decryption 
algorithm. 

20. A method according to Claim 17, wherein the first 
decrypting step decrypts the twice- encrypted first 
key using the second key before decrypting the 
twice-encrypted first key using the third key. 

21. A method according to Claim 17, wherein the first 
decrypting step decrypts the twice -encrypted first 
key using the third key before decrypting the twice- 
encrypted first key using the second key. 

22. A method according to Claim 17, wherein the third 
key is contained within the intended image output 
device, whereby the third key is primarily shielded 
from access by devices other than the intended 
image output device. 

23. A method according to Claim 17, wherein the sec- 
ond key is contained in a smart-card possessed by 
the intended recipient, whereby the second key is 
hidden from recipients other than the intended 
recipient 

24. A method according to Claim 17, wherein the 
receiving step further receives a signed header 
hash and a signed data hash, the method further 
comprising a verifying step of verifying the authen- 
ticity and the integrity of the signed header hash 
and of the signed data hash. 

25. A method according to Claim 24, further comprising 
the step of discarding the encrypted data rather 
than outputting an image based upon the encrypted 
data, if the signed header hash or the signed data 
hash fail the verification of authenticity and integrity. 

26. A method according to Claim 25, further comprising 
the step of sending a notice to a sender of the 



a receiving step of receiving encrypted data 
and a twice-encrypted first key; 
a first decrypting step of twice decrypting the 
twice-encrypted first key using a second key 55 
and a third key, the second key being a private 
key of a first private key/public key pair, the pri- 
vate key of the first private key/public key pair 
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signed header, if the signed header hash or the 
signed data hash fail the verification of authenticity 
and integrity. 

27. A method according to Claim 17, wherein the 5 
intended image output device is a printer. 

28. A method according to Claim 17, wherein the 
intended image output device is a facsimile 
machine. io 

29. A method for generating an image from data trans- 
mitted to an intended image output device, wherein 
the data can be used to generate the image at the 
intended image output device in the presence of an is 
intended recipient, the method comprising: 

a receiving step of receiving a header contain- 
ing a twice-encrypted first key; 
a sending step of sending a request for 20 
encrypted data corresponding to the header; 
a receiving step of receiving encrypted data 
corresponding to the header; 
a first decrypting step of twice decrypting the 
twice-encrypted first key using a second key 25 
and a third key, the second key being a private 
key of a first private key/public key pair, the pri- 
vate key of the first private key/public key pair 
being primarily in the sole possession of the 
intended recipient of the image, and the third so 
key being a private key of a second private 
key/public key pair, the private key of the sec- 
ond private key/public key pair being primarily 
in the sole possession of the intended image 
output device; 35 
a second decrypting step of decrypting the 
encrypted data using the decrypted first key; 
and 

an image generating step of generating an 
image from the decrypted data. 40 

30. A method according to Claim 29, wherein the 
header is received in the receiving step by e-mail. 

31. A method according to Claim 29, wherein the 45 
header also contains a reference to a location of the 
encrypted data, and wherein the request for 
encrypted data contains the reference to the loca- 
tion of the encrypted data. 

50 

32. An apparatus for secure transmission of data to an 
Intended image output device, wherein the data can 
be used to generate an image at the intended 
image output device for receipt by an intended 
recipient, the apparatus comprising: 55 

a memory including a region for storing execut- 
able process steps and data for the image; and • 



a processor for executing the executable proc- 
ess steps; 

wherein the executable process steps include 
(a) an encrypting step of twice encrypting the 
data using a first key and a second key, the first 
key being a public key of a first private key/pub- 
lic key pair, a private key of the first private 
key/public key pair being primarily in the sole 
possession of the intended image output 
device, and the second key being a public key 
of a second private key/public key pair, a pri- 
vate key of the second private key/public key 
pair being primarily in the sole possession of 
the intended recipient of the image; and (b) a 
transmitting step of transmitting the twice- 
encrypted data to the intended image output 
device. 

33. An apparatus for secure transmission of data to an 
intended image output device, wherein the data can 
be used to generate an image at the intended 
image output device in the presence of an intended 
recipient, the apparatus comprising: 

a memory including a region for storing execut- 
able process steps and data for the image; and 
a processor for executing the executable proc- 
ess steps; 

wherein the executable process steps include 
(a) a first encrypting step of encrypting the data 
using a first key; (b) a second encr/pting step 
of twice encrypting the first key using a second 
key and a third key, the second key being a 
public key of a first private key/public key pair, a 
private key of the first private key/public key 
pair being primarily in the sole possession of 
the intended image output device, and the third 
key being a public key of a second private 
key/public key pair, a private key of the second 
private key/public key pair being primarily in the 
sole possession of the intended recipient of the 
image; and (c) a transmitting step of transmit- 
ting the encrypted data and the twice- 
encrypted first key to the intended image out- 
put device. 

34. An apparatus according to Claim 33, wherein the 
first key is randomly generated. 

35. An apparatus according to Claim 33. wherein the 
first encrypting step utilizes a symmetric encryption 
algorithm. 

36. An apparatus according to Claim 33, wherein the 
second encrypting step utilizes an asymmetric 
encryption algorithm. 

37. An apparatus according to Claim 33,- wherein the 
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second encrypting step encrypts the first key using 
the second key before encrypting the first key using 
the third key. 

38. An apparatus according to Claim 33, wherein the 5 
second encrypting step encrypts the first key using 
the third key before encrypting the first key using 
the second key. 

39. An apparatus according to Claim 33, wherein, in the io 
transmitting step, the twice-encrypted first key is 
contained in a header which also contains informa- 
tion related to the identity of a device initiating the 
secure transmission. 

15 

40. An apparatus according to Claim 33, wherein, in the 
transmitting step, the twice-encrypted first key is 
contained in a header which also contains informa- 
tion related to the identity of a person initiating the 
secure transmission. 20 

41. An apparatus according to Claim 40, wherein the 
executable process steps further comprise: (d) a 
hashing step of processing the header and the 
encrypted data with a hashing algorithm, resulting 25 
in a header hash and a data hash; and (e) a signing 
step of digitally signing the header hash and the 
data hash with a private key of a third private 
key/public key pair, the private key of the third pri- 
vate key/public key pair being primarily maintained 30 
in the sole possession of the person initiating the 
secure transmission, wherein the transmitting step 
further transmits the signed header hash and the 
signed data hash. 

35 

42. An apparatus according to Claim 33, wherein the 
apparatus is a computer and the intended image 
output device is a printer. 

43. An apparatus according to Claim 33, wherein the 40 
apparatus is a computer and the intended image 
output device is a facsimile machine. 

44. An apparatus according to Claim 33, wherein the 
apparatus is a first facsimile machine and the 45 
intended image output device is a second facsimile 
machine. 

45. An apparatus for secure transmission of data to an 
intended image output device, wherein the data can 50 
be used to generate an image at the intended 
image output device in the presence of an intended 
recipient, the apparatus comprising: 

a memory including a region for storing execut- 55 
able process steps and data for the image; and 
a processor for executing the executable proc- 
ess steps; 



wherein the executable process steps include 
(a) a first encrypting step of encrypting the data 
using a first key; (b) a second encrypting step 
of twice encrypting the first key using a second 
key and a third key, the second key being a 
public key of a first private key/public key pair, a 
private key of the first private key/public key 
pair being primarily in the sole possession of 
the intended image output device, and the third 
key being a public key of a second private 
key/public key pair, a private key of the second 
private key/public key pair being primarily in the 
sole possession of the intended recipient of the 
image; (c) a generating step of generating a 
header containing the twice- encrypted first key; 
(d) a first transmitting step of transmitting the 
header to the intended image output device; (e) 
a receiving step of receiving a request from the 
intended image output device for the encrypted 
data; and (f) a second transmitting step of 
transmitting the encrypted data to the intended 
image output device. 

46. An apparatus according to Claim 45. wherein the 
first transmitting step transmits the header to the 
intended image output device by e-mail. 

47. An apparatus according to Claim 45, wherein the 
header which is generated in the generating step 
also contains a reference to a location of the 
encrypted data, and wherein the request for 
encrypted data contains the reference to the loca- 
tion of the encrypted data. 

48. An image output device for generating an image 
from data transmitted to the image output device, 
wherein the data can be used to generate the 
image at the image output device in the presence of 
an intended recipient, the image output device 
comprising: 

a receiver for receiving twice-encrypted data; 
an image generator for generating an image 
from image data; 

a memory including a region for storing execut- 
able process steps and data; and 
a processor for executing the executable proc- 
ess steps, wherein the executable process 
steps include: (a) a decrypting step of twice 
decrypting the twice-encrypted data using a 
first key and a second key, the first key being a 
private key of a first private key/public key pair, 
the private key of the first private key/public key 
pair being primarily in the sole possession of 
the intended recipient of the image, and the 
second key being a private key of a second pri- 
vate key/public key pair, the private key of the 
second private key/pubiic key pair being prima- 
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rily in the sole possession of the intended 
image output device; and (b) an image gener- 
ating step of generating an image from the 
decrypted data. 

49. An image output device for generating an image 
from data transmitted to the image output device, 
wherein the data can be used to generate the 
image at the image output device in the presence of 
an intended recipient, the image output device 
comprising: 

a receiver for receiving encrypted data and an 
twice-encrypted first key; 
an image generator for generating an image 
from image data; 

a memory including a region for storing execut- 
able process steps and data; and 
a processor for executing the executable proc- 
ess steps, wherein the executable process 
steps include: (a) a first decrypting step of 
decrypting the twice- encrypted first key using a 
second key and a third key, the second key 
being a private key of a first private key/public 
key pair, the private key of the first private 
key/public key pair being primarily in the sole 
possession of the intended recipient of the 
image, and the third key being a private key of 
a second private key/public key pair, the private 
key of the second private key/public key pair 
being primarily in the sole possession of the 
intended image output device; (b) a second 
decrypting step of decrypting the encrypted 
data using the decrypted first key; and (c) an 
image generating step of generating an image 
from the decrypted data using the image gen- 
erator. 

50. An image output device according to Claim 49, 
wherein the first decrypting step utilizes an asym- 
metric decryption algorithm. 

51. An image output device according to Claim 49, 
wherein the second decrypting step utilizes a sym- 
metric decryption algorithm. 

52. An image output device according to Claim 49, 
wherein the first decrypting step decrypts the first 
key using the second key before decrypting the first 
key using the third key. 

53. An image output device according to Claim 49, 
wherein the first decrypting step decrypts the first 
key using the third key before decrypting the first 
key using the second key. 

54. An image output device according to Claim 49, 
wherein the third key is contained within the image 



output device, whereby the third key is primarily 
shielded from access by devices other than the 
image output device. 

5 55. An image output device according to Claim 49, 
wherein the second key is contained in a smart- 
card possessed by the intended recipient, whereby 
the second key is hidden from recipients other than 
the intended recipient. 

10 

56. An image output device according to Claim 49, 
wherein the receiving step further receives a signed 
header hash and a signed data hash, the executa- 
ble process steps further comprising a verifying 

15 step of verifying the authenticity and integrity of the 

signed header hash and of the signed data hash. 

57. An image output device according to Claim 56, 
wherein the executable process steps further com- 

20 prise the step of discarding the encrypted data 
rather than outputting an image, if the signed 
header hash or the signed data hash fail the verifi- 
cation of authenticity and integrity- 
's 58. An image output device to Claim 57, wherein the 
executable process steps further comprise the step 
of sending a notice to a sender of the signed 
header, if the signed header hash or the signed 
data hash fail the verification of authenticity and 
30 integrity. 

59. An image output device according to Claim 49, 
wherein the image output device is a printer. 

35 60. An image output device according to Claim 49, 
wherein the image output device is a facsimile 
machine. 

61. An image output device for generating an image 
40 from data transmitted to the image output device, 
wherein the data can be used to generate the 
image at the image output device in the presence of 
an intended recipient, the image output device 
comprising: 

45 

a receiver for receiving a header containing a 
twice-encrypted first key; 
an image generator for generating an image 
from image data; 

50 a memory including a region for storing execut- 

able process steps and data; and 
a processor for executing the executable proc- 
ess steps, wherein the executable process 
steps include: (a) a sending step of sending a 

55 request for encrypted data corresponding to 

the header; (b) a receiving step of receiving 
encrypted data corresponding to the header; 
(c) a first decrypting step of twice decrypting 
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the twice-encrypted first key using a second 
key and a third key, the second key being a pri- 
vate key of a first private key/public key pair, the 
private key of the first private key/public key 
pair being primarily in the sole possession of 5 
the intended recipient of the image, and the 
third key being a private key of a second private 
key/public key pair, the private key of the sec- 
ond private key/public key pair being primarily 
in the sole possession of the intended image 10 
output device; (d) a second decrypting step of 
decrypting the encrypted data using the 
decrypted first key; and (e) an image generat- 
ing step of generating an image from the 
decrypted data. ^5 

62. A device according to Claim 61 , wherein the header 
is received by e-mail. 

63. A device according to Claim 61 , wherein the header 20 
also contains a reference to a location of the 
encrypted data, and wherein the request for 
encrypted data contains the reference to the loca- 
tion of the encrypted data. 

25 

64. A computer-readable medium which stores compu- 
ter-executable process steps which securely trans- 
mit data to an intended image output device, 
wherein the data can be used to generate an image 

at the intended image output device in the presence 30 
of an intended recipient, the computer-executable 
process steps comprising: 

a data generating step to generate data for an 
image; 35 
an encrypting step to twice encrypt the data 
using a first key and a second key, the first key 
being a public key of a first private key/public 
key pair, a private key of the first private 
key/public key pair being primarily in the sole 40 
possession of the intended image output 
device, and the second key being a public key 
of a second private key/public key pair, a pri- 
vate key of the second private key/public key 
pair being primarily in the sole possession of 45 
the intended recipient of the image; and 
a transmitting step to transmit the twice- 
encrypted data to the intended image output 
device. 

50 

65. A computer-readable medium which stores compu- 
ter-executable process steps which securely trans- 
mit data to an intended image output device, 
wherein the data can be used to generate an image 

at the intended image output device in the presence 55 
of an intended recipient, the computer-executable 
process steps comprising: 



a data generating step to generate data for an 
image; 

a first encrypting step to encrypt the data using 
a first key; 

a second encrypting step to encrypt the first 
key twice using a second key and a third key, 
the second key being a public key of a first pri- 
vate key/public key pair, a private key of the first 
private key/public key pair being primarily in the 
sole possession of the intended image output 
device, and the third key being a public key of a 
second private key/public key pair, a private 
key of the second private key/public key pair 
being primarily in the sole possession of the 
intended recipient of the image; and 
a transmitting step to transmit the encrypted 
data and the twice-encrypted first key to the 
intended image output device. 

66. A computer-readable medium according to Claim 
65, wherein the first key is randomly generated. 

67. A computer- readable medium according to Claim 
65, wherein the first encrypting step utilizes a sym- 
metric encryption algorithm, 

68. A computer-readable medium according to Claim 
65, wherein the second encrypting step utilizes an 
asymmetric encryption algorithm. 

69. A computer- readable medium according to Claim 
65, wherein the second encrypting step encrypts 
the first key using the second key before encrypting 
the first key using the third key. 

70. A computer- readable medium according to Claim 
65, wherein the second encrypting step encrypts 
the first key using the third key before encrypting 
the first key using the second key. 

71. A computer-readable medium according to Claim 
65, wherein, in the transmitting step, the twice- 
encrypted first key is contained in a header which 
also contains information related to the identity of a 
device initiating the secure transmission. 

72. A computer- readable medium according to Claim 
65, wherein, in the transmitting, step, the twice- 
encrypted first key is contained in a header which 
also contains information related to the identity of a 
person initiating the secure transmission. 

73. A computer- readable medium according to Claim 
72, wherein the computer-executable process 
steps further comprise: 

a hashing step to process the header and the 
encrypted data with a hashing algorithm. 
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resulting in a header hash and a data hash; 
and 

a signing step to digitally sign the header hash 
and the data hash with a private key of a third 
private key/public key pair, the private key of 
the third private key/public key pair being pri- 
nnarily maintained in the sole possession of the 
person initiating the secure transnnission, 
wherein the transmitting step further transmits 
the signed header hash and the signed data 
hash. 

74. A computer-readable medium according to Claim 
65, wherein the intended image output device is a 
printer. 

75. A computer-readable medium according to Claim 
65, wherein the intended image output device is a 
facsimile machine. 

76. A computer-readable medium which stores compu- 
ter-executable process steps which securely trans- 
mit data to an intended image output device, 
wherein the data can be used to generate an image 
at the intended image output device in the presence 
of an intended recipient, the computer-executable 
process steps comprising: 

a data generating step to generate data for an 
image; 

a first encrypting step to encrypt the data using 
a first key; 

a second encrypting step to twice encrypt the 
first key using a second key and a third key, the 
second key being a public key of a first private 
key/pubtic key pair, a private key of the first pri- 
vate key/public key pair being primarily in the 
sole possession of the intended image output 
device, and the third key being a public key of a 
second private key/public key pair, a private 
key of the second private key/public key pair 
being primarily in the sole possession of the 
intended recipient of the image; 
a generating step to generate a header con- 
taining the twice-encrypted first key; 
a first transmitting step to transmit the header 
to the intended image output device; 
a receiving step to receive a request from the 
intended image output device for the encrypted 
data; and 

a second transmitting step to transmit the 
encrypted data to the intended image output 
device. 

77. A computer-readable medium according to Claim 
76, wherein the first transmitting step transmits the 
header to the intended image output device by e- 
maiL 
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78. A computer-readable medium according to Claim 
76, wherein the header which is generated in the 
generating step also contains a reference to a loca- 
tion of the encrypted data, and wherein the request 

5 for encrypted data contains the reference to the 

location of the encrypted data. 

79. A computer-readable medium which stores compu- 
ter-executable process steps for generating an 

10 image from twice-encrypted data transmitted to an 
intended image output device, wherein the twice- 
encrypted data can be used to generate the image 
at the intended image output device in the presence 
of an intended recipient, the computer-executable 
15 process steps comprising: 

a receiving step to receive twice-encrypted 
data; 

a decrypting step to twice decrypt the twice- 
20 encrypted data using a first key and a second 

key, the first key being a private key of a first pri- 
vate key/public key pair, the private key of the 
first private key/public key pair being primarily 
in the sole possession of the intended recipient 
25 of the image, and the second key being a pri- 

vate key of a second private key/public key pair, 
the private key of the second private key/public 
key pair being primarily in the sole possession 
of the intended image output device; and 
30 an image generating step to generate an image 

from the decrypted data. 

80. A computer-readable medium which stores compu- 
ter-executable process steps for generating an 

35 image from data transmitted to an intended image 
output device, wherein the data can be used to gen- 
erate the image at the intended image output 
device in the presence of an intended recipient, the 
computer-executable process steps comprising: 

40 

a receiving step to receive encrypted data and 
a twice-encrypted first key; 
a first decrypting step to twice decrypt the 
twice-encrypted first key using a second key 

45 and a third key, the second key being a private 

key of a first private key/public key pair, the pri- 
vate key of the first private key/public key pair 
being primarily in the sole possession of the 
intended recipient of the image, and the third 

50 key being a private key of a second private 

key/public key pair, the private key of the sec- 
ond private key/public key pair being primarily 
in the sole possession of the intended image 
output device; 

55 a second decrypting step to decrypt the 

encrypted data using the decrypted first key; 
and 

an image generating step to generate an image 
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from the decrypted data. 

81. A computer-readable medium according to Claim 
80, wherein the first decrypting step utilizes an 
asymmetric decryption algorithm. 5 

82. A computer-readable medium according to Claim 
80, wherein the second decrypting step utilizes a 
symmetric decryption algorithm. 

10 

83. A computer-readable medium according to Claim 
80, wherein the first decrypting step decrypts the 
twice-encrypted first key using the second key 
before decrypting the twice-encrypted first key 
using the third key. is 

84. A computer-readable medium according to Claim 
80, wherein the first decrypting step decrypts the 
twice-encrypted first key using the third key before 
decrypting the twice -encrypted first key using the 20 
second key. 

85. A computer-readable medium according to Claim 
80, wherein the third key is contained within the 
intended image output device, whereby the third 25 
key is primarily shielded from access by devices 
other than the intended image output device. 

86. A computer-readable medium according to Claim 

80, wherein the second key is contained in a smart- 30 
card possessed by the intended recipient, whereby 
the second key is hidden from recipients other than 
the intended recipient. 

87. A computer-readable medium according to Claim 35 
80, wherein the receiving step further receives a 
signed header hash and a signed data hash, the 
method further comprising a verifying step of verify- 
ing the authenticity and the integrity of the signed 
header hash and of the signed data hash. 40 

88. A computer-readable medium according to Claim 

87, further comprising the step of discarding the 
encrypted data rather than outputting an image 
based upon the encrypted data, if the signed 45 
header hash or the signed data hash fail the verifi- 
cation of authenticity and integrity. 

89. A computer-readable medium according to Claim 

88, further comprising the step of sending a notice so 
to a sender of the signed header, if the signed 
header hash or the signed data hash fail the verifi- 
cation of authenticity and integrity. 

90. A computer-readable medium according to Claim 55 
80, wherein the intended image output device Is a 
printer 



91. A computer-readable medium according to Claim 
80, wherein the intended image output device is a 
facsimile machine. 

92. A computer-readable medium which stores compu- 
ter-executable process steps for generating an 
image from data transmitted to an intended image 
output device, wherein the data can be used to gen- 
erate the image at the intended image output 
device in the presence of an intended recipient, the 
computer-executable process steps comprising: 

a receiving step to receive a header containing 
a twice-encrypted first key; 
a sending step to send a request for encrypted 
data corresponding to the header; 
a receiving step to receive encrypted data cor- 
responding to the header; 
a first decrypting step to twice decrypt the 
twice-encrypted first key using a second key 
and a third key, the second key being a private 
key of a first private key/public key pair, the pri- 
vate key of the first private key/public key pair 
being primarily in the sole possession of the 
intended recipient of the image, and the third 
key being a private key of a second private 
key/public key pair, the private key of the sec- 
ond private key/public key pair being primarily 
in the sole possession of the intended image 
output device; 

a second decrypting step to decrypt the 
encrypted data using the decrypted first key; 
and 

an image generating step to generate an image 
from the decrypted data. 

93. A computer-readable medium according to Claim 
92, wherein the header is received in the receiving 
step by e-mail. 

94. A computer-readable medium according to Claim 
92, wherein the header also contains a reference to 
a location of the encrypted data, and wherein the 
request for encrypted data contains the reference 
to the location of the encrypted data. 

95. A printer driver which securely transmits data to an 
intended printer, wherein the data can be used to 
generate an image at the intended printer in the 
presence of an intended recipient, the printer driver 
comprising: 

data generating code for generating data for an 
image; 

encrypting code for twice encrypting the data 
using a first key and a second key, the first key 
being a public key of a first private key/public 
key pair, a private key of the first private 
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key/public key pair being primarily in the sole 
possession of the intended image output 
device, and the second key being a public key 
of a second private key/public key pair, a pri- 
vate key of the second private key/public key 5 
pair being primarily in the sole possession of 
the intended recipient of the image; and 
transmitting code for transmitting the twice- 
encrypted data to the intended image output 
device. io 

96. A printer driver which securely transmits data to an 
intended printer, wherein the data can be used to 
generate an image at the intended printer in the 
presence of an intended recipient, the printer driver 15 
comprising: 

data generating code for generating data for an 
image; 

first encrypting code for encrypting the data 20 
using a first key; 

second encrypting code for twice encrypting 
the first key using a second key and a third key, 
the second key being a public key of a first pri- 
vate key/public key pair, a private key of the first 25 
private key/public key pair being primarily in the 
sole possession of the intended image output 
device, and the third key being a public key of a 
second private key/public key pair, a private 
key of the second private key/public key pair 30 
being primarily in the sole possession of the 
intended recipient of the image; and 
transmitting code for transmitting the encrypted 
data and the twice-encrypted first key to the 
intended printer. 35 

97. A printer driver according to Claim 96, wherein the 
first key is randomly generated, 

98. A printer driver according to Claim 96, wherein the 4o 
first encrypting code utilizes a symmetric encryp- 
tion algorithm. 

99. A printer driver according to Claim 96. wherein the 
second encrypting code utilizes an asymmetric 45 
encryption algorithm. 

100. A printer driver according to Claim 96, wherein the 
second encrypting code encrypts the first key using 

the second key before encrypting the first key using so 
the third key. 

101 .A printer driver according to Claim 96, wherein the 
second encrypting code encrypts the first key using 
the third key before encrypting the first key using 55 
the second key. 

102.A printer driver according to Claim 96, wrherein the 



twice-encrypted first key is contained in a header 
which also contains information related to the iden- 
tity of a person initiating the secure transmission. 

103. A printer driver according to Claim 102, wherein the 
header also contains a signed header hash and a 
signed data hash, and further comprising verifica- 
tion code for verification of the authenticity and 
integrity of the signed header hash and of the 
signed data hash. 

104. A printer driver according to Claim 103, further 
comprising sending code for sending a notice to a 
sender of the header, if one of the signed header 
hash and signed data hash fails the verification of 
authenticity and integrity. 

105. A printer driver which securely transmits data to an 
intended printer, wherein the data can be used to 
generate an image at the intended printer in the 
presence of an intended recipient, the printer driver 
comprising: 

data generating code for generating data for an 
image; 

first encrypting code for encrypting the data 
using a first key; 

second encrypting code for twice encrypting 
the first key using a second key and a third key, 
the second key being a public key of a first pri- 
vate key/public key pair, a private key of the first 
private key/public key pair being primarily in the 
sole possession of the intended image output 
device, and the third key being a public key of a 
second private key/public key pair, a private 
key of the second private key/public key pair 
being primarily in the sole possession of the 
intended recipient of the image; 
generating code for generating a header con- 
taining the twice-encrypted first key; 
first transmitting code for transmitting the 
header to the intended image output device; 
receiving code for receiving a request from the 
intended image output device for the encrypted 
data; and 

second transmitting code for transmitting the 
encrypted data to the intended image output 
device. 

106. A printer driver according to Claim 1 05, wherein the 
first transmitting code transmits the header to the 
intended image output device by e-mail. 

107. A printer driver according to Claim 1 05, wherein the 
header which is generated in the generating code 
also contains a reference to a location of the 
encrypted data, and wherein the request for 
encrypted data contains the reference to the loca- 
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tion of the encrypted data. 

lOS.Computer-executable process steps stored on a 
computer-readable medium, the computer-execut- 
able process steps for generating an image from 
twice-encrypted data transmitted to an intended 
image output device, wherein the twice-encrypted 
data can be used to generate the image at the 
intended image output device in the presence of an 
intended recipient, said computer-executable proc- 
ess steps comprising: 

receiving code to receive twice-encrypted data; 
decrypting code to twice decrypt the twice- 
encrypted data using a first key and a second 
key, the first key being a private key of a first pri- 
vate key/public key pair, the private key of the 
first private key/public key pair being primarily 
in the sole possession of the intended recipient 
of the image, and the second key being a pri- 
vate key of a second private key/public key pair, 
the private key of the second private key/public 
key pair being primarily in the sole possession 
of the intended image output device; and 
an image generating code to generate an 
image from the decrypted data. 

lOQ.Computer-executable process steps stored on a 
computer-readable medium, the computer-execut- 
able process steps for generating an image from 
twice-encrypted data transmitted to an intended 
image output device, wherein the twice- encrypted 
data can be used to generate the image at the 
intended image output device in the presence of an 
intended recipient, said computer-executable proc- 
ess steps comprising: 

receiving code to receive encrypted data and a 
twice-encrypted first key; 

first decrypting code to twice decrypt the twice- 
encrypted first key using a second key and a 
third key, the second key being a private key of 
a first private key/public key pair, the private 
key of the first private key/public key pair being 
primarily in the sole possession of the intended 
recipient of the image, and the third key being a 
private key of a second private key/public key 
pair, the private key of the second private 
key/public key pair being primarily in the sole 
possession of the intended image output 
device; 

second decrypting code to decrypt the 
encrypted data using the decrypted first key; 
and 

image generating code to generate an image 
from the decrypted data. 

llO.Computer-executable process steps according to 



Claim 107, wherein the first decrypting code utilizes 
an asymmetric decryption algorithm. 

111. Computer-executable process steps according to 
5 Claim 1 07, wherein the second decrypting code uti- 
lizes a symmetric decryption algorithm. 

11 2. Computer-executable process steps according to 
Claim 107, wherein the first decrypting code 

10 decrypts the twice-encrypted first key using the 
second key before decrypting the twice-encrypted 
first key using the third key. 

113. Computer-executable process steps according to 
75 Claim 107^ wherein the first decrypting code 

decrypts the twice- encrypted first key using the 
third key before decrypting the twice-encrypted first 
key using the second key 

20 114.Computer-executable process steps according to 
Claim 1 07, wherein the third key is contained within 
the intended image output device, whereby the third 
key is primarily shielded from access by devices 
other than the intended image output device. 

25 

11 5. Computer-executable process steps according to 
Claim 1 07, wherein the second key is contained in 
a smart-card possessed by the intended recipient, 
whereby the second key is hidden from recipients 

30 other than the intended recipient. 

11 6. Computer-executable process steps according to 
Claim 107, wherein the receiving code further 
receives a signed header hash and a signed data 

35 hash, the method further comprising verifying code 
to verify the authenticity and the integrity of the 
signed header hash and of the signed data hash. 

117. Computer-executable process steps according to 
40 Claim 114, further comprising code to discard the 

encrypted data rather than outputting an image 
based upon- the encrypted data, if the signed 
header hash or the signed data hash fail the verifi- 
cation of authenticity and integrity. 

45 

118. Computer-executable process steps according to 
Claim 1 1 5, further comprising code to send a notice 
to a sender of the signed header, if the signed 
header hash or the signed data hash fail the verifi- 

50 cation of authenticity and integrity. 

119. Computer-executable process steps according to 
Claim 107, wherein the intended image output 
device is a printer. 

55 

120. Computer-executable process steps according to 
Claim 107, wherein the intended image output 
device is a facsimile machine. 
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121 .Computer-executable process steps stored on a 
computer-readable medium, the computer- execut- 
able process steps for generating an image from 
data transmitted to an intended image output 
device, wherein the data can be used to generate 5 
the image at the intended image output device in 
the presence of an intended recipient, the compu- 
ter-executable process steps comprising: 

receiving code to receive a header containing a 
twice-encrypted first key; 

sending code to send a request for encrypted 
data corresponding to the header; 
receiving code to receive encrypted data corre- 
sponding to the header; 

first decrypting code to twice decrypt the twice- 
encrypted first key using a second key and a 
third key, the second key being a private key of 
a first private key/public key pair, the private 
key of the first private key/public key pair being 
primarily in the sole possession of the intended 
recipient of the image, and the third key being a 
private key of a second private key/public key 
pair, the private key of the second private 
key/pub!ic key pair being primarily in the sole 
possession of the intended image output 
device; 

second decrypting code to decrypt the 
encrypted data using the decrypted first key; 
and 

image generating code to generate an image 
from the decrypted data. 

122. Computer-executabIe process steps according to 
Claim 119, wherein the header is received by e- 35 
mail. 

1 23. Computer-executable process steps according to 
Claim 119, wherein the header also contains a ref- 
erence to a location of the encrypted data, and 40 
wherein the request for encrypted data contains the 
reference to the location of the encrypted data. 

124. A signal conveying machine readable instructions 
for causing a processor to perform a method 45 
according to any one of Claims 1 to 31 or for caus- 
ing the processor to act as a computer for use in an 
apparatus according to any one of Claims 32 to 47 
or for causing the processor to act as an image out- 
put device according to any one of Claims 48 to 63 so 
or for causing the processor to act as a printer 
driver according to any one of Claims 95 to 1 07. 
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